Delegate certificate issues
This topic provides solutions for common delegate certificate issues.
Delegate fails to register
In some scenarios, the delegate might start to register and then fail. There are two common exceptions that might occur: an SSLHandshakeException
and a signature check failure.
Handshake exception
You might experience a javax.net.ssl.SSLHandshakeException: unable to find valid certification path to requested target
exception.
This typically means the Java truststore file doesn't have the required certificate to connect to Harness Manager because of a missing Certificate Authority (CA).
Handshake exception solutions
To resolve the handshake exception, do the following:
-
Run to the command below to test the certificate chain you used to install Harness Manager.
curl -cacerts path/to/ca-certs/file https://<MANAGER_HOST>/api/account/<ACCOUNT_ID>/status
-
Install the certificate on the delegate. For more information, go to Install delegates with custom certificates.
-
Follow the appropriate steps below, based on whether you use the OpenSSL tool.
Use the OpenSSL tool
When the OpenSSL tool isn't present
Signature check failure
In some scenarios, you might experience a signature check failed: Signature length not correct: got 512 but was expecting 256
exception.
This exception occurs because the length of the public key is not the same as the length of the signature. During the TLS handshake, the signature received by the delegate (client side) is the certificate sent by the server. The public key is from the truststore file where the delegate loads during startup. The issue can occur when the delegate is not installed with CA certificates that match the server side correctly.
Signature check failure solution
The solution is similar to resolving the handshake exception. Follow the steps above to find the correct CA certs to install.
Certificate inspection commands
The following commands can help you inspect your certificates.
Inspect a certificate chain - x509 PEM file
Keytool -printcert -file /path/to/cert
openssl x509 -text -noout -in certificate.pem
Inspect a truststore file
keytool -list -v -keystore /path/to/truststore
Import x509 certs into a truststore file
Keytool cannot import an entire PEM file with multiple certs. If a CA bundle file has multiple PEM blocks, you must divide each block into an individual file, and run the command below.
keytool -noprompt -import -trustcacerts -file <path/to/cert/file> -alias <UNIQUE_NAME> -keystore <path/to/truststore/file> -storepass changeit
To divide a CA bundle file into individual files, run the command below.
csplit -z ca-bundle.crt /#/ '{*}'. # split to multiple files\
sed -i '/^$/d' xx* # remove blank lines
Certificate issues when using vanity URLs
If you encounter certificate errors with a vanity URL (*.harness.io
) that was working fine with app.harness.io
, follow these steps:
-
Generate Certificates for the Vanity URL:
- Generate SSL/TLS certificates for the specific vanity URL (
*.harness.io
). - Ensure they are correctly signed by a trusted Certificate Authority (CA) or configured as trusted if self-signed.
- Generate SSL/TLS certificates for the specific vanity URL (
-
Mount the Certificates:
- Use the Harness documentation to mount the certificates in your Kubernetes build infrastructure.
-
Override Configuration in Delegate YAML:
-
Update the delegate YAML to override
MANAGER_HOST_AND_PORT
andLOG_STREAMING_SERVICE_URL
for vanity URLs:MANAGER_HOST_AND_PORT: https://YOUR_SUBDOMAIN.harness.io/gratis
LOG_STREAMING_SERVICE_URL: https://YOUR_SUBDOMAIN.harness.io/gratis/log-service/ -
Ensure that the delegate is restarted after making these changes to apply the new configuration.
-
Following these steps should resolve the certificate errors with your vanity URL.